1) count the number of entries in the file
* IMHO this is cosmetic and could even be dropped

If we want to have an accurate list of vulnerabilities, I would prefer
to add support for matching against the base name. It gets a bit messy,
but I have some code around for that anyway.

We spoke about this a while ago and that functionality would be good to
see. It would also mean we could go back to listing all vulnerabilities
for a package in the README.html, as opposed to just current ones, if we
wanted to.

2) check the version of the file against what it expects it to be

I do not understand what you wrote here.

genreadme.awk looks for the #FORMAT number inside the
pkg-vulnerabilities file and then matches it against the hard coded
number in genreadme.awk. If the #FORMAT number in the file
pkg-vulnerabilities is greater than the one in genreadme.awk it bails
with an error. See lines 268-297.